Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement multithread #44

Merged
merged 2 commits into from
Dec 6, 2023
Merged

Implement multithread #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
146809d
Try to make multithreaded but not tested
obelisk Nov 29, 2023
63b374d
Wrap Signatory::Direct's PrivateKey with Mutex
timweri Nov 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions rustica-agent-cli/src/config/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ pub enum RusticaAgentAction {
ListPIVKeys(listpivkeys::ListPIVKeysConfig),
ListFidoDevices,
GitConfig(PublicKey),
RefreshAttestedX509(refresh_attested_x509_certificate::RefreshAttestedX509Config)
RefreshAttestedX509(refresh_attested_x509_certificate::RefreshAttestedX509Config),
}

impl From<std::io::Error> for ConfigurationError {
Expand Down Expand Up @@ -85,26 +85,26 @@ fn get_signatory(
match (cmd_slot, config_slot, file, &config_key) {
(Some(slot), _, _, _) => match slot_parser(slot) {
Some(s) => Ok(Signatory::Yubikey(YubikeySigner {
yk: Yubikey::new().unwrap(),
yk: Yubikey::new().unwrap().into(),
slot: s,
})),
None => Err(ConfigurationError::BadSlot),
},
(_, _, Some(file), _) => match PrivateKey::from_path(file) {
Ok(p) => Ok(Signatory::Direct(p)),
Ok(p) => Ok(Signatory::Direct(p.into())),
Err(e) => Err(ConfigurationError::CannotReadFile(format!(
"{}: {}",
e, file
))),
},
(_, Some(slot), _, _) => match slot_parser(slot) {
Some(s) => Ok(Signatory::Yubikey(YubikeySigner {
yk: Yubikey::new().unwrap(),
yk: Yubikey::new().unwrap().into(),
slot: s,
})),
None => Err(ConfigurationError::BadSlot),
},
(_, _, _, Some(key_string)) => Ok(Signatory::Direct(PrivateKey::from_string(key_string)?)),
(_, _, _, Some(key_string)) => Ok(Signatory::Direct(PrivateKey::from_string(key_string)?.into())),
(None, None, None, None) => Err(ConfigurationError::MissingSSHKey),
}
}
Expand Down Expand Up @@ -166,7 +166,9 @@ pub fn add_daemon_options(cmd: Command) -> Command {
)
}

fn parse_config_from_args(matches: &ArgMatches) -> Result<UpdatableConfiguration, ConfigurationError> {
fn parse_config_from_args(
matches: &ArgMatches,
) -> Result<UpdatableConfiguration, ConfigurationError> {
UpdatableConfiguration::new(matches.value_of("config").unwrap())
.map_err(|e| ConfigurationError::BadConfiguration(e))
}
Expand Down Expand Up @@ -255,10 +257,11 @@ pub async fn configure() -> Result<RusticaAgentAction, ConfigurationError> {
.about("Show the git configuration for code-signing with the provided key"),
);

let refresh_x509 = refresh_attested_x509_certificate::add_configuration(new_run_agent_subcommand(
"refresh-attested-x509",
"Refresh an X509 certificate in a Yubikey slot",
));
let refresh_x509 =
refresh_attested_x509_certificate::add_configuration(new_run_agent_subcommand(
"refresh-attested-x509",
"Refresh an X509 certificate in a Yubikey slot",
));

let command_configuration = command_configuration
.subcommand(immediate_mode)
Expand Down Expand Up @@ -312,7 +315,8 @@ pub async fn configure() -> Result<RusticaAgentAction, ConfigurationError> {
}

if let Some(x509_config) = matches.subcommand_matches("refresh-x509") {
return refresh_attested_x509_certificate::configure_refresh_x509_certificate(x509_config).await;
return refresh_attested_x509_certificate::configure_refresh_x509_certificate(x509_config)
.await;
}

cc_help.print_help().unwrap();
Expand Down
15 changes: 7 additions & 8 deletions rustica-agent-cli/src/config/multimode.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use std::{collections::HashMap, fs};

use rustica_agent::{
get_all_piv_keys, Handler, RusticaAgentLibraryError, Signatory, YubikeyPIVKeyDescriptor,
YubikeySigner
YubikeySigner,
};

use clap::{Arg, ArgMatches, Command};
Expand Down Expand Up @@ -91,7 +91,7 @@ fn get_signatory(
let key = PublicKey::from_bytes(key).unwrap();
if certificate_fingerprint == key.fingerprint().hash {
let sig = Signatory::Yubikey(YubikeySigner {
yk: Yubikey::open(des.serial).unwrap(),
yk: Yubikey::open(des.serial).unwrap().into(),
slot: des.slot,
});
return Ok((des.public_key.clone(), sig));
Expand All @@ -102,7 +102,7 @@ fn get_signatory(
if certificate_fingerprint == private_key.pubkey.fingerprint().hash {
return Ok((
private_key.pubkey.clone(),
Signatory::Direct(private_key.clone()),
Signatory::Direct(private_key.clone().into()),
));
}
}
Expand Down Expand Up @@ -157,17 +157,16 @@ pub async fn configure_multimode(
key_map.remove(&pubkey.encode().to_vec());

let handler = Handler {
updatable_configuration,
cert: None,
updatable_configuration: updatable_configuration.into(),
cert: None.into(),
pubkey: pubkey.clone(),
signatory,
stale_at: 0,
stale_at: 0.into(),
certificate_options,
identities: private_keys,
identities: private_keys.into(),
piv_identities: key_map,
notification_function: None,
certificate_priority: matches.is_present("certificate-priority"),

};

Ok(RusticaAgentAction::Run(RunConfig {
Expand Down
80 changes: 41 additions & 39 deletions rustica-agent-cli/src/config/refresh_attested_x509_certificate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
use std::env;

use clap::{Command, Arg, ArgMatches};
use rustica_agent::{slot_validator, slot_parser, Signatory, YubikeySigner, config::UpdatableConfiguration};
use clap::{Arg, ArgMatches, Command};
use rustica_agent::{
config::UpdatableConfiguration, slot_parser, slot_validator, Signatory, YubikeySigner,
};
use sshcerts::yubikey::piv::Yubikey;

use super::{RusticaAgentAction, ConfigurationError, parse_config_from_args};
use super::{parse_config_from_args, ConfigurationError, RusticaAgentAction};

pub struct RefreshAttestedX509Config {
pub updatable_configuration: UpdatableConfiguration,
Expand All @@ -22,7 +24,7 @@ pub async fn configure_refresh_x509_certificate(
let slot = slot_parser(&slot).unwrap();

let signatory = Signatory::Yubikey(YubikeySigner {
yk: Yubikey::new().unwrap(),
yk: Yubikey::new().unwrap().into(),
slot,
});

Expand All @@ -37,42 +39,42 @@ pub async fn configure_refresh_x509_certificate(
Err(_) => return Err(ConfigurationError::YubikeyManagementKeyInvalid),
};


Ok(RusticaAgentAction::RefreshAttestedX509(RefreshAttestedX509Config {
updatable_configuration,
signatory,
pin,
management_key,
}))
Ok(RusticaAgentAction::RefreshAttestedX509(
RefreshAttestedX509Config {
updatable_configuration,
signatory,
pin,
management_key,
},
))
}

pub fn add_configuration(cmd: Command) -> Command {
cmd
.arg(
Arg::new("slot")
.help("Numerical value for the slot on the yubikey to use for your private key")
.long("slot")
.short('s')
.required(true)
.validator(slot_validator)
.takes_value(true),
)
.arg(
Arg::new("pin-env")
.help("Specify a different pin environment variable")
.default_value("YK_PIN")
.long("pinenv")
.short('p')
.required(false)
.takes_value(true),
)
.arg(
Arg::new("management-key")
.help("Specify the management key")
.default_value("010203040506070801020304050607080102030405060708")
.long("mgmkey")
.short('m')
.required(false)
.takes_value(true),
)
cmd.arg(
Arg::new("slot")
.help("Numerical value for the slot on the yubikey to use for your private key")
.long("slot")
.short('s')
.required(true)
.validator(slot_validator)
.takes_value(true),
)
.arg(
Arg::new("pin-env")
.help("Specify a different pin environment variable")
.default_value("YK_PIN")
.long("pinenv")
.short('p')
.required(false)
.takes_value(true),
)
.arg(
Arg::new("management-key")
.help("Specify the management key")
.default_value("010203040506070801020304050607080102030405060708")
.long("mgmkey")
.short('m')
.required(false)
.takes_value(true),
)
}
12 changes: 5 additions & 7 deletions rustica-agent-cli/src/config/register.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use clap::{Arg, ArgMatches, Command};
use rustica_agent::{slot_validator, PIVAttestation, Signatory, config::UpdatableConfiguration};
use rustica_agent::{config::UpdatableConfiguration, slot_validator, PIVAttestation, Signatory};
use yubikey::piv::SlotId;

use super::{get_signatory, parse_config_from_args, ConfigurationError, RusticaAgentAction};
Expand Down Expand Up @@ -32,12 +32,10 @@ pub async fn configure_register(
Signatory::Direct(_) => return Err(ConfigurationError::CannotAttestFileBasedKey),
};

attestation.certificate = signer
.yk
.fetch_attestation(&signer.slot)
.unwrap_or_default();
attestation.intermediate = signer
.yk
let mut yk = signer.yk.lock().await;

attestation.certificate = yk.fetch_attestation(&signer.slot).unwrap_or_default();
attestation.intermediate = yk
.fetch_certificate(&SlotId::Attestation)
.unwrap_or_default();

Expand Down
20 changes: 11 additions & 9 deletions rustica-agent-cli/src/config/singlemode.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,14 @@ pub async fn configure_singlemode(

let mut signatory = get_signatory(&slot, &config.slot, &file, &config.key)?;
let pubkey = match &mut signatory {
Signatory::Yubikey(signer) => match signer.yk.ssh_cert_fetch_pubkey(&signer.slot) {
Ok(cert) => cert,
Err(_) => return Err(ConfigurationError::YubikeyNoKeypairFound),
},
Signatory::Yubikey(signer) => {
match signer.yk.lock().await.ssh_cert_fetch_pubkey(&signer.slot) {
Ok(cert) => cert,
Err(_) => return Err(ConfigurationError::YubikeyNoKeypairFound),
}
}
Signatory::Direct(privkey) => {
let mut privkey = privkey.lock().await;
if let Some(path) = matches.value_of("fido-device-path") {
privkey.set_device_path(path);
}
Expand All @@ -36,17 +39,16 @@ pub async fn configure_singlemode(
};

let handler = Handler {
updatable_configuration,
cert: None,
updatable_configuration: updatable_configuration.into(),
cert: None.into(),
pubkey: pubkey.clone(),
signatory,
stale_at: 0,
stale_at: 0.into(),
certificate_options,
identities: HashMap::new(),
identities: HashMap::new().into(),
piv_identities: HashMap::new(),
notification_function: None,
certificate_priority: matches.is_present("certificate-priority"),

};

Ok(RusticaAgentAction::Run(RunConfig {
Expand Down
22 changes: 14 additions & 8 deletions rustica-agent-cli/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,9 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
&config.management_key,
config.require_touch,
config.pin_policy,
) {
)
.await
{
Some(_) => (),
None => {
println!("Provisioning Error");
Expand All @@ -65,7 +67,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
Ok(RusticaAgentAction::ProvisionAndRegisterFido(prf)) => {
let new_fido_key = generate_new_ssh_key(&prf.app_name, &prf.comment, prf.pin, None)?;

let mut signatory = Signatory::Direct(new_fido_key.private_key.clone());
let mut signatory = Signatory::Direct(new_fido_key.private_key.clone().into());
let u2f_attestation = U2FAttestation {
auth_data: new_fido_key.attestation.auth_data,
auth_data_sig: new_fido_key.attestation.auth_data_sig,
Expand Down Expand Up @@ -184,15 +186,19 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
.await;
}
Ok(RusticaAgentAction::RefreshAttestedX509(mut config)) => {
match rustica_agent::fetch_new_attested_x509_certificate(&config.updatable_configuration.get_configuration().servers, &mut config.signatory)
.await
match rustica_agent::fetch_new_attested_x509_certificate(
&config.updatable_configuration.get_configuration().servers,
&mut config.signatory,
)
.await
{
Ok(cert) => match config.signatory {
Signatory::Yubikey(mut yk) => {
yk.yk
.unlock(config.pin.as_bytes(), &config.management_key)
Signatory::Yubikey(yk) => {
let slot = yk.slot;
let mut yk = yk.yk.lock().await;
yk.unlock(config.pin.as_bytes(), &config.management_key)
.unwrap();
yk.yk.write_certificate(&yk.slot, &cert).unwrap();
yk.write_certificate(&slot, &cert).unwrap();
}
Signatory::Direct(_) => {
let parsed_cert = Certificate::from_bytes(cert.to_vec()).unwrap();
Expand Down
12 changes: 6 additions & 6 deletions rustica-agent-gui/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let agent = load_environments()?; //.into_iter().map(|x| x.to_string_lossy().to_string()).collect();

let options = eframe::NativeOptions::default();
eframe::run_native(
let _ = eframe::run_native(
"Rustica Agent",
options,
Box::new(move |_cc| Box::new(agent)),
Expand Down Expand Up @@ -299,18 +299,18 @@ impl eframe::App for RusticaAgentGui {
private_key.set_device_path(&self.fido_devices[*fido_device].path);

let pubkey = private_key.pubkey.clone();
let signatory = Signatory::Direct(private_key);
let signatory = Signatory::Direct(private_key.into());

let certificate_options = CertificateConfig::from(updatable_configuration.get_configuration().options.clone());

let handler = rustica_agent::Handler {
updatable_configuration,
cert: None,
updatable_configuration: updatable_configuration.into(),
cert: None.into(),
pubkey,
signatory,
stale_at: 0,
stale_at: 0.into(),
certificate_options,
identities: HashMap::new(),
identities:HashMap::new().into(),
piv_identities: self.piv_keys.iter().filter_map(|x| if x.1.in_use {Some((x.0.clone(), x.1.descriptor.clone()))} else {None}).collect(),
notification_function: None,
certificate_priority: self.certificate_priority,
Expand Down
Loading
Loading